There is a renewed urgency for employers to evaluate whether they are covered entities under the Health Insurance Portability and Accountability Act (HIPAA). September 23 is the deadline for most action items under the new final regulations.

Employers may not be aware they may be considered covered entities under HIPAA.

Most employers that provide self-funded or self-administered health insurance benefits to their employees are covered entities and must comply with HIPAA privacy rules. This includes many employers with self-funded plans, even if a third-party administrator is utilized (although there is an exception for plans with fewer than 50 participants).

In addition, employers may be covered entities if they provide certain wellness programs, employee assistance programs, medical reimbursement accounts, or on-site clinics (if operated by the employer).

An employer may also be considered a “business associate” of its insurance provider, if it receives protected health information while performing services for the insurance provider or another covered entity. Such employers will need to manage their relationships with benefit administrators through business associate agreements. Generally, protected health information means individually identifiable health information that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the physical or mental health or condition of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual.

However, if the employer receives protected health information solely in its role as an employer, it is not subject to HIPAA. Such protected health information may be related to the Family and Medical Leave Act, worker’s compensation claims, life and disability insurance, or medical information relating to the ability of an employee to perform duties required for employment.

Any employer who receives protected health information needs to have an assessment performed to determine if it is a covered entity or a business associate of a covered entity. If it is determined to be a covered entity or business associate, it must comply with the requirements of HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

If an employer is determined to be a covered entity, it must:

perform a risk assessment;
have a written privacy policy;
update and distribute a notice of privacy practices;
have privacy rules in place;
train the workforce of individuals who have access to protected health information; and
have forms and policies in place for complying with participant requests for restrictions on the use of protected health information and for providing copies of protected health information to others.

In addition, covered entities must identify and have agreements with business associates who have access to protected health information.

Finally, both covered entities and business associates must be cognizant of the obligation to report breaches of protected health information under HIPAA and HITECH. New breach penalties are higher and U.S. Department of Health and Human Services has become more aggressive in its enforcement. Penalties may range from as low as $100 per violation to as high as $50,000 per violation , up to a maximum penalty of $1.5 million dollars per year, depending on the circumstances and nature of the violations. Covered entities that suffer a breach and have not taken appropriate steps to comply with the rule will be more severely penalized.

Now is the time for employers to assess their status under HIPAA and HITECH.

For more information, contact Bruce Lamb, leader of Gunster’s health law practice.

This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.

Established in 1925, Gunster is one of Florida’s oldest and largest full-service law firms. The firm’s clients include international, national and local businesses, institutions, local governments and prominent individuals. Gunster maintains its presence in Florida with offices in Fort Lauderdale, Jacksonville, Miami, Orlando, Palm Beach, Stuart, Tallahassee, Tampa, The Florida Keys, Vero Beach and its headquarters in West Palm Beach. Gunster is home to more than 150 attorneys and 200 committed support staff, providing counsel to clients through 18 practice groups including banking & financial services; business litigation; construction; corporate; environmental & land use; government affairs; health care; immigration; international; labor & employment; leisure & resorts; private wealth services; probate, trust & guardianship litigation; professional malpractice; real estate; securities and corporate governance; tax; and technology & entrepreneurial companies. Gunster is ranked among the National Law Journal’s list of the 350 largest law firms.

Close


Find a Professional

by Name


by Practice/Office